/ 
Jifty-0.71129
River stage two • 33 direct dependents • 33 total dependents
/ Jifty::Plugin::OAuth

NAME

Jifty::Plugin::OAuth

DESCRIPTION

A OAuth web services API for your Jifty app.

WARNING

This plugin is not yet complete. DO NOT USE IT.

USAGE

Add the following to your site_config.yml

framework:
  Plugins:
    - OAuth: {}

GLOSSARY

service provider

A service provider is an application that has users who have private data. This plugin enables your Jifty application to be an OAuth service provider.

consumer

A consumer is an application that wants to access users' private data. The service provider (in this case, this plugin) ensures that this happens securely and with users' full approval. Without OAuth (or similar systems), this would be accomplished perhaps by the user giving the consumer her login information. Obviously not ideal.

This plugin does not yet implement the consumer half of the protocol.

request token

A request token is a unique, random string that a user may authorize for a consumer.

access token

An access token is a unique, random string that a consumer can use to access private resources on the authorizing user's behalf. Consumers may only receive an access token if they have an authorized request token.

NOTES

You must provide public access to /oauth/request_token and /oauth/access_token.

You must not allow public access to /oauth/authorize. /oauth/authorize depends on having the user be logged in.

There is currently no way for consumers to add themselves. This might change in the future, but it would be a nondefault configuration. Consumers must contact you and provide you with the following data:

consumer_key

An arbitrary string that uniquely identifies a consumer. Preferably something random over, say, "Hiveminder".

secret

A (preferably random) string that is used to ensure that it's really the consumer you're talking to. After the consumer provides this to you, it's never sent in plaintext. It is always, however, included in cryptographic signatures.

name

A readable name to use in displaying the consumer to users. This is where you'd put "Hiveminder".

url (optional)

The website of the consumer.

rsa_key (optional)

The consumer's public RSA key. This is optional. Without it, they will not be able to use the RSA-SHA1 signature method. They can still use HMAC-SHA1 though.

TECHNICAL DETAILS

OAuth is an open protocol that enables consumers to access users' private data in a secure and authorized manner. The way it works is:

  • The consumer establishes a key and a secret with the service provider. This step only happens once.

  • The user is using the consumer's application and decides that she wants to use some data that she already has on the service provider's application.

  • The consumer asks the service provider for a request token. The service provider generates one and gives it to the consumer.

  • The consumer directs the user to the service provider with that request token.

  • The user logs in and authorizes that request token.

  • The service provider directs the user back to the consumer.

  • The consumer asks the service provider to exchange his authorized request token for an access token. This access token lets the consumer access resources on the user's behalf in a limited way, for a limited amount of time.

By establishing secrets and using signatures and timestamps, this can be done in a very secure manner. For example, a replay attack (an eavesdropper repeats a request made by a legitimate consumer) is actively defended against.

SEE ALSO

Net::OAuth::Request, http://oauth.net/

AUTHOR

Shawn M Moore <sartak@bestpractical.com>